In this post, I am going to talk about the points related to security, which you have to take into account when you are setting up an Apache installation.

Restrictions for the Apache user

The Apache user must not be able to log into the system. If you take a look at both passwd and shadow files, you will be able to appreciate that no shell is assigned to him (/sbin/nologin), and the field reserved for the password will contain "!!". That means that the Apache user will not be able to log on the system (he is blocked).

You have to prevent that the system root (/) is accessible through the web server. It is also better to disable all options on the root directory (Options none) and control what directives can be used in the .htaccess file by means of the AllowOverride directive.

If you define the root directory with these characteristics, then you will have to add to each directory the allowed options.

Hiding a directory or a file

Perhaps you can have a directory completely indexed and in turn, it contains different subdirectories, but you do not want to make visible a concrete directory (hidden) and you desire that it is reachable only when you type its URL. For this purpose, you have to use the IndexIgnore option.

Subscribe to

Follow by Email

About the author...

Javier Andrés Alonso has got a Master's Degree in Telecommunication Engineering and a Bachelor's Degree in Telecommunication Technical Engineering (specialising in Telematics), from the Polytechnic School of the University of Alcalá de Henares.